initial CCF commit

[nadavgru]

Change(s):

• Initial Filewall Data Connector

Reason for Change(s):

• Initial Filewall Data Connector

Version Updated:

• Initial version
• Including initial Workbook, Parsers, Data connector and Analytics Rules.

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[nadavgru]

@microsoft-github-policy-service agree [company="odix"]
@microsoft-github-policy-service agree
@microsoft-github-policy-service agree company="Microsoft"

[nadavgru]

@microsoft-github-policy-service agree company="odix"

[v-maheshbh]

Hi @nadavgru
BasePath Format:
Modify the BasePath to the following structure:
C:\GitHub\Azure-Sentinel\solutions\Solution Name

Kindly add the release notes with proper comments. Please include the workbook preview images inside the solution folder as well as in the following path:
https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks/Images/Preview.
Additionally, update the workbook metadata file and refer to any existing solution for guidance.

For the CCF connector, kindly refer to the solution provided below and attach the Testing screenshot of the connector in a connected state.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF/Data%20Connectors

Thanks!

[nadavgru]

Connected State:

[v-maheshbh]

Hi @nadavgru
The relevantTechniques field is missing in the analytic rule. Kindly update the rule to include the appropriate relevant techniques and update your branch from master to resolve the workbook validation issues.
Kindly add the release notes with version, date and descriptive details for this update.

For the CCF connector, kindly refer to the solution provided below.
https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF/Data%20Connectors

Thanks!

[v-maheshbh]

Hi @nadavgru
Please resolve the conflicts in this branch.

Thanks!

[v-maheshbh]

Hi @nadavgru

Kindly review the above comments and resolve the branch conflict.

Thanks!

[v-maheshbh]

Hi @nadavgru

Kindly resolve the branch conflict to proceed further.

Thanks!

[v-maheshbh]

Hi @nadavgru
Kindly attach the testing screenshots for the Analytical Rule, Workbook, Parser invocation logs, and the CCF Connector in a Connected state for validation.

Thanks!

[nadavgru]

Hi, Thank you so much for catching up. I'm currently on vacation and the project will continue only next month. Thanks you, Nadav Get Outlook for Android From: v-maheshbh ***@***.***> Sent: Monday, April 6, 2026 3:03:02 PM To: Azure/Azure-Sentinel ***@***.***> Cc: Nadav Gruber ***@***.***>; Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] initial CCF commit (PR #13449)   v-maheshbh left a comment (Azure/Azure-Sentinel#13449) Hi @nadavgru Kindly attach the testing screenshots for the Analytical Rule, Workbook, Parser invocation logs, and the CCF Connector in a Connected state for validation. Thanks! — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

[v-maheshbh]

Hi @nadavgru

Kindly resolve the branch conflict to proceed further.

Thanks!

[v-maheshbh]

HI @nadavgru

Kindly attach the testing screenshots for the Analytical Rule, Workbook, Parser invocation logs, and the CCF Connector in a Connected state for validation.
Thanks!

[nadavgru]

Hi @v-maheshbh , here are to final required screenshot.
thank you

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds the initial Filewall for Microsoft 365 Microsoft Sentinel solution content, including a Codeless (CCF/CLv2) REST API polling connector, parsers, analytics rules, and a workbook.

Changes:

• Added a new Filewall solution package (connector definition + DCR + tables + polling config, UI definition, solution data/metadata, release notes).
• Added Filewall parsers and two scheduled analytic rules.
• Added workbook content (and workbook gallery metadata), plus KQL validation artifacts for custom tables/functions.

Reviewed changes

Copilot reviewed 21 out of 30 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
Workbooks/WorkbooksMetadata.json	Registers a new Filewall workbook entry in the global workbook gallery metadata.
Workbooks/FilewallM365Overview.json	Adds a workbook template at the repo root for Filewall M365 overview.
Solutions/Filewall for Microsoft 365/Workbooks/FilewallM365Overview.json	Adds the solution-scoped copy of the Filewall M365 overview workbook.
Solutions/Filewall for Microsoft 365/SolutionMetadata.json	Introduces solution marketplace metadata (publisher/offer/support/categories).
Solutions/Filewall for Microsoft 365/ReleaseNotes.md	Adds initial release notes for the solution version.
Solutions/Filewall for Microsoft 365/Parsers/FilewallM365FileEvent.yaml	Adds Filewall file-event parser function.
Solutions/Filewall for Microsoft 365/Parsers/FilewallM365ExchangeEvent.yaml	Adds Filewall Exchange-event parser function.
Solutions/Filewall for Microsoft 365/Package/testParameters.json	Adds package test parameters for ARM/validation.
Solutions/Filewall for Microsoft 365/Package/createUiDefinition.json	Adds solution installation UI definition (portal experience).
Solutions/Filewall for Microsoft 365/Data/Solution_FilewallM365.json	Defines solution packaging manifest (connectors/workbooks/parsers/rules).
Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_Table.json	Defines custom tables for Filewall Exchange/File logs.
Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_PollingConfig.json	Defines 4 RestApiPoller connections (Exchange/SharePoint/OneDrive/Teams).
Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_DCR.json	Defines DCR streams and transformations for custom tables.
Solutions/Filewall for Microsoft 365/Data Connectors/FilewallM365Logs_CCP/FilewallM365_ConnectorDefinition.json	Adds the connector UI definition, sample queries, and instructions.
Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedFiles.yaml	Adds scheduled rule for blocked files based on the parser.
Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedEmails.yaml	Adds scheduled rule for blocked emails based on the parser.
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json	Registers the new connectorId for detection schema validation.
.script/tests/KqlvalidationsTests/CustomTables/FilewallFile_CL.json	Adds custom table schema for KQL validation.
.script/tests/KqlvalidationsTests/CustomTables/FilewallExchange_CL.json	Adds custom table schema for KQL validation.
.script/tests/KqlvalidationsTests/CustomFunctions/FilewallM365FileEvent.json	Adds function signature for KQL validation of the file parser.
.script/tests/KqlvalidationsTests/CustomFunctions/FilewallM365ExchangeEvent.json	Adds function signature for KQL validation of the Exchange parser.

[v-maheshbh]

Hi @nadavgru

Kindly review the above comments and address them as applicable. and update branch from master.

Thanks!

[nadavgr]

Hi @v-maheshbh, All fixed.
There was a comment on the publisher id.
I set it as "odix" as attached screenshot.
Is the correct?

Thanks

[v-maheshbh]

Hi @nadavgru

Kindly review and address the failed validations.
Thanks!

[nadavgru]

@v-maheshbh fixed validation issue.